github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-13 11:55:50 +00:00
Code Issues Projects Releases Wiki Activity

fix(test): dropped file:// from k8s audit log tests.

Browse Source 
Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
This commit is contained in:
Federico Di Pierro 2022-05-26 11:52:01 +02:00 committed by poiana
parent db5f1bec3d
commit 75712caa9a
1 changed files with 66 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

132
test/falco_k8s_audit_tests.yaml
View File

@ -26,7 +26,7 @@ trace_files: !mux
detect_counts:
- Create Disallowed Pod: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
compat_engine_v4_create_allowed_pod:
detect: False
@ -35,7 +35,7 @@ trace_files: !mux
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
- ./rules/k8s_audit/engine_v4/allow_nginx_container.yaml
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
compat_engine_v4_create_privileged_pod:
detect: True
@ -46,7 +46,7 @@ trace_files: !mux
detect_counts:
- Create Privileged Pod: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json
compat_engine_v4_create_privileged_trusted_pod:
detect: False
@ -56,7 +56,7 @@ trace_files: !mux
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json
compat_engine_v4_create_unprivileged_pod:
detect: False
@ -64,7 +64,7 @@ trace_files: !mux
- ../rules/falco_rules.yaml
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
compat_engine_v4_create_hostnetwork_pod:
detect: True
@ -75,7 +75,7 @@ trace_files: !mux
detect_counts:
- Create HostNetwork Pod: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
compat_engine_v4_create_hostnetwork_trusted_pod:
detect: False
@ -85,7 +85,7 @@ trace_files: !mux
- ./rules/k8s_audit/engine_v4_k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
user_outside_allowed_set:
detect: True
@ -97,7 +97,7 @@ trace_files: !mux
detect_counts:
- Disallowed K8s User: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/some-user_creates_namespace_foo.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json
user_in_allowed_set:
detect: False
@ -108,7 +108,7 @@ trace_files: !mux
- ./rules/k8s_audit/allow_user_some-user.yaml
- ./rules/k8s_audit/disallow_kactivity.yaml
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/some-user_creates_namespace_foo.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json
create_disallowed_pod:
detect: True
@ -120,7 +120,7 @@ trace_files: !mux
detect_counts:
- Create Disallowed Pod: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
create_allowed_pod:
detect: False
@ -129,7 +129,7 @@ trace_files: !mux
- BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/allow_nginx_container.yaml
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
create_privileged_pod:
detect: True
@ -140,7 +140,7 @@ trace_files: !mux
detect_counts:
- Create Privileged Pod: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json
create_privileged_no_secctx_1st_container_2nd_container_pod:
detect: True
@ -151,7 +151,7 @@ trace_files: !mux
detect_counts:
- Create Privileged Pod: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_no_secctx_1st_container_privileged_2nd_container.json
create_privileged_2nd_container_pod:
detect: True
@ -162,7 +162,7 @@ trace_files: !mux
detect_counts:
- Create Privileged Pod: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged_2nd_container.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged_2nd_container.json
create_privileged_trusted_pod:
detect: False
@ -171,7 +171,7 @@ trace_files: !mux
- BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_privileged.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_privileged.json
create_unprivileged_pod:
detect: False
@ -179,7 +179,7 @@ trace_files: !mux
- ../rules/falco_rules.yaml
- BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
create_unprivileged_trusted_pod:
detect: False
@ -188,7 +188,7 @@ trace_files: !mux
- BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json
create_sensitive_mount_pod:
detect: True
@ -199,7 +199,7 @@ trace_files: !mux
detect_counts:
- Create Sensitive Mount Pod: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
create_sensitive_mount_2nd_container_pod:
detect: True
@ -210,7 +210,7 @@ trace_files: !mux
detect_counts:
- Create Sensitive Mount Pod: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_sensitive_mount_2nd_container.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_sensitive_mount_2nd_container.json
create_sensitive_mount_trusted_pod:
detect: False
@ -219,7 +219,7 @@ trace_files: !mux
- BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_sensitive_mount.json
create_unsensitive_mount_pod:
detect: False
@ -227,7 +227,7 @@ trace_files: !mux
- ../rules/falco_rules.yaml
- BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
create_unsensitive_mount_trusted_pod:
detect: False
@ -236,7 +236,7 @@ trace_files: !mux
- BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unsensitive_mount.json
create_hostnetwork_pod:
detect: True
@ -247,7 +247,7 @@ trace_files: !mux
detect_counts:
- Create HostNetwork Pod: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
create_hostnetwork_trusted_pod:
detect: False
@ -256,7 +256,7 @@ trace_files: !mux
- BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_hostnetwork.json
create_nohostnetwork_pod:
detect: False
@ -264,7 +264,7 @@ trace_files: !mux
- ../rules/falco_rules.yaml
- BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
create_nohostnetwork_trusted_pod:
detect: False
@ -273,7 +273,7 @@ trace_files: !mux
- BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/trust_nginx_container.yaml
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_nohostnetwork.json
create_nodeport_service:
detect: True
@ -285,7 +285,7 @@ trace_files: !mux
detect_counts:
- Create NodePort Service: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_service_nodeport.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_service_nodeport.json
create_nonodeport_service:
detect: False
@ -294,7 +294,7 @@ trace_files: !mux
- BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/disallow_kactivity.yaml
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_service_nonodeport.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_service_nonodeport.json
create_configmap_private_creds:
detect: True
@ -306,7 +306,7 @@ trace_files: !mux
detect_counts:
- Create/Modify Configmap With Private Credentials: 6
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_configmap_sensitive_values.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_configmap_sensitive_values.json
create_configmap_no_private_creds:
detect: False
@ -315,7 +315,7 @@ trace_files: !mux
- BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
- ./rules/k8s_audit/disallow_kactivity.yaml
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_configmap_no_sensitive_values.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_configmap_no_sensitive_values.json
anonymous_user:
detect: True
@ -326,7 +326,7 @@ trace_files: !mux
detect_counts:
- Anonymous Request Allowed: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/anonymous_creates_namespace_foo.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/anonymous_creates_namespace_foo.json
pod_exec:
detect: True
@ -337,7 +337,7 @@ trace_files: !mux
detect_counts:
- Attach/Exec Pod: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/exec_pod.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/exec_pod.json
pod_attach:
detect: True
@ -348,7 +348,7 @@ trace_files: !mux
detect_counts:
- Attach/Exec Pod: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/attach_pod.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/attach_pod.json
namespace_outside_allowed_set:
detect: True
@ -360,7 +360,7 @@ trace_files: !mux
detect_counts:
- Create Disallowed Namespace: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/some-user_creates_namespace_foo.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json
namespace_in_allowed_set:
detect: False
@ -370,7 +370,7 @@ trace_files: !mux
- ./rules/k8s_audit/allow_namespace_foo.yaml
- ./rules/k8s_audit/disallow_kactivity.yaml
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/minikube_creates_namespace_foo.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/minikube_creates_namespace_foo.json
create_pod_in_kube_system_namespace:
detect: True
@ -381,7 +381,7 @@ trace_files: !mux
detect_counts:
- Pod Created in Kube Namespace: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_pod_kube_system_namespace.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_pod_kube_system_namespace.json
create_pod_in_kube_public_namespace:
detect: True
@ -392,7 +392,7 @@ trace_files: !mux
detect_counts:
- Pod Created in Kube Namespace: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_pod_kube_public_namespace.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_pod_kube_public_namespace.json
create_serviceaccount_in_kube_system_namespace:
detect: True
@ -403,7 +403,7 @@ trace_files: !mux
detect_counts:
- Service Account Created in Kube Namespace: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_serviceaccount_kube_system_namespace.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_serviceaccount_kube_system_namespace.json
create_serviceaccount_in_kube_public_namespace:
detect: True
@ -414,7 +414,7 @@ trace_files: !mux
detect_counts:
- Service Account Created in Kube Namespace: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_serviceaccount_kube_public_namespace.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_serviceaccount_kube_public_namespace.json
system_clusterrole_deleted:
detect: True
@ -425,7 +425,7 @@ trace_files: !mux
detect_counts:
- System ClusterRole Modified/Deleted: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_cluster_role_kube_aggregator.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_cluster_role_kube_aggregator.json
system_clusterrole_modified:
detect: True
@ -436,7 +436,7 @@ trace_files: !mux
detect_counts:
- System ClusterRole Modified/Deleted: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/modify_cluster_role_node_problem_detector.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/modify_cluster_role_node_problem_detector.json
attach_cluster_admin_role:
detect: True
@ -447,7 +447,7 @@ trace_files: !mux
detect_counts:
- Attach to cluster-admin Role: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/attach_cluster_admin_role.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/attach_cluster_admin_role.json
create_cluster_role_wildcard_resources:
detect: True
@ -458,7 +458,7 @@ trace_files: !mux
detect_counts:
- ClusterRole With Wildcard Created: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_cluster_role_wildcard_resources.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_wildcard_resources.json
create_cluster_role_wildcard_verbs:
detect: True
@ -469,7 +469,7 @@ trace_files: !mux
detect_counts:
- ClusterRole With Wildcard Created: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_cluster_role_wildcard_verbs.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_wildcard_verbs.json
create_writable_cluster_role:
detect: True
@ -480,7 +480,7 @@ trace_files: !mux
detect_counts:
- ClusterRole With Write Privileges Created: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_cluster_role_write_privileges.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_write_privileges.json
create_pod_exec_cluster_role:
detect: True
@ -491,7 +491,7 @@ trace_files: !mux
detect_counts:
- ClusterRole With Pod Exec Created: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_cluster_role_pod_exec.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_cluster_role_pod_exec.json
create_deployment:
detect: True
@ -502,7 +502,7 @@ trace_files: !mux
detect_counts:
- K8s Deployment Created: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_deployment.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_deployment.json
delete_deployment:
detect: True
@ -513,7 +513,7 @@ trace_files: !mux
detect_counts:
- K8s Deployment Deleted: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_deployment.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_deployment.json
create_service:
detect: True
@ -524,7 +524,7 @@ trace_files: !mux
detect_counts:
- K8s Service Created: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_service.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_service.json
delete_service:
detect: True
@ -535,7 +535,7 @@ trace_files: !mux
detect_counts:
- K8s Service Deleted: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_service.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_service.json
create_configmap:
detect: True
@ -546,7 +546,7 @@ trace_files: !mux
detect_counts:
- K8s ConfigMap Created: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_configmap.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_configmap.json
delete_configmap:
detect: True
@ -557,7 +557,7 @@ trace_files: !mux
detect_counts:
- K8s ConfigMap Deleted: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_configmap.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_configmap.json
create_namespace:
detect: True
@ -570,7 +570,7 @@ trace_files: !mux
detect_counts:
- K8s Namespace Created: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/some-user_creates_namespace_foo.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/some-user_creates_namespace_foo.json
delete_namespace:
detect: True
@ -581,7 +581,7 @@ trace_files: !mux
detect_counts:
- K8s Namespace Deleted: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_namespace_foo.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_namespace_foo.json
create_serviceaccount:
detect: True
@ -592,7 +592,7 @@ trace_files: !mux
detect_counts:
- K8s Serviceaccount Created: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_serviceaccount.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_serviceaccount.json
delete_serviceaccount:
detect: True
@ -603,7 +603,7 @@ trace_files: !mux
detect_counts:
- K8s Serviceaccount Deleted: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_serviceaccount.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_serviceaccount.json
create_clusterrole:
detect: True
@ -614,7 +614,7 @@ trace_files: !mux
detect_counts:
- K8s Role/Clusterrole Created: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_clusterrole.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_clusterrole.json
delete_clusterrole:
detect: True
@ -625,7 +625,7 @@ trace_files: !mux
detect_counts:
- K8s Role/Clusterrole Deleted: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_clusterrole.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_clusterrole.json
create_clusterrolebinding:
detect: True
@ -636,7 +636,7 @@ trace_files: !mux
detect_counts:
- K8s Role/Clusterrolebinding Created: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_clusterrolebinding.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_clusterrolebinding.json
delete_clusterrolebinding:
detect: True
@ -647,7 +647,7 @@ trace_files: !mux
detect_counts:
- K8s Role/Clusterrolebinding Deleted: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_clusterrolebinding.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_clusterrolebinding.json
create_secret:
detect: True
@ -658,7 +658,7 @@ trace_files: !mux
detect_counts:
- K8s Secret Created: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_secret.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_secret.json
# Should *not* result in any event as the secret rules skip service account token secrets
create_service_account_token_secret:
@ -668,7 +668,7 @@ trace_files: !mux
- ../rules/falco_rules.yaml
- BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_service_account_token_secret.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_service_account_token_secret.json
create_kube_system_secret:
detect: False
@ -677,7 +677,7 @@ trace_files: !mux
- ../rules/falco_rules.yaml
- BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_kube_system_secret.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_kube_system_secret.json
delete_secret:
detect: True
@ -688,7 +688,7 @@ trace_files: !mux
detect_counts:
- K8s Secret Deleted: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/delete_secret.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/delete_secret.json
fal_01_003:
detect: False
@ -697,7 +697,7 @@ trace_files: !mux
- ../rules/falco_rules.yaml
- BUILD_DIR/k8saudit-rules-prefix/src/k8saudit-rules/k8s_audit_rules.yaml
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/fal_01_003.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/fal_01_003.json
stderr_contains: 'data not recognized as a k8s audit event'
json_pointer_correct_parse:
@ -708,4 +708,4 @@ trace_files: !mux
detect_counts:
- json_pointer_example: 1
conf_file: BUILD_DIR/test/confs/plugins/k8s_audit.yaml
addl_cmdline_opts: -o plugins[0].open_params=file://trace_files/k8s_audit/create_nginx_pod_unprivileged.json
addl_cmdline_opts: -o plugins[0].open_params=trace_files/k8s_audit/create_nginx_pod_unprivileged.json